AOL Implements Anti-Spoofing Technology

America Online is experimenting with an anti-spoofing technology that lets recipient ISPs verify the origins of e-mail that appears to be from an AOL domain.

The protocol, a version of a proposal called Sender Permitted From (SPF), ties sender ISP addresses to domain name service (DNS) records. This allows recipients' e-mail systems to validate the purported "from" address of a message to ensure it comes from the matching IP addresses published on the domain name service.

"The reason why we are doing this is simply because we place a great amount of importance of the value and the sanctity of AOL e-mail," said Nicholas Graham, an AOL spokesperson. "We are very interested in protecting our brand, especially our e-mail, because it is the very heart of the AOL service."

For the system to work, of course, every AOL mail recipient would have to have a system in place to perform verification. And the verification wouldn't do much good unless recipients can appropriately deal with the e-mail if the IP addresses and the domain name don't match (i.e. delete, report, or put it in a spam folder). Still, for any anti-spam or anti-spoofing system to take hold, someone has to take a first step. That's what AOL is doing with its implementation of SFP. If it's successful, the company says it will work to get others in the industry to join it.

"It all depends on the results of this experimental phase that we are in right now," said Graham. "The expectation is that is something that we would deploy and that others would deploy, too."

SFP is one of many changes to SMTP (simple mail transfer protocol) proposed recently as Internet players struggle to deal with the weight of spam, which often involves spoofing and phishing . Yahoo! recently proposed DomainKeys, similar to SPF, but using public key cryptography, to deal with the same spoofing issue. Members of the Internet Research Task Force's (IRTF) Anti-Spam Research Group also proposed a number of changes to the SMTP protocol, including a version of SPF.

Companies best positioned to effect change are colletively referred to as AMEY (AOL, Microsoft, EarthLink and Yahoo!). AMEY partnered in an Anti-Spam Alliance announced last April. AOL is taking a unilateral approach with its SFP implementation, but says it continues to work with the alliance partners. Some cooperation will likely come in the form of feedback AOL will solicit from partners and stakeholders as it experiments with SFP.

"We're talking the first step here," said Graham. "We are the first ISP to deploy this. We believe that this is a good Netizen effort. This is part of a good 'neighborhood watch' program in the spam arena."